CVE-2026-30841

UNKNOWN 0.0

Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes using <?= $token ?> and <?= $email ?> without calling htmlspecialchars(). This allows reflected XSS by breaking out of the attribute context. This issue has been patched in version 4.6.2.

CWE	CWE-79
Vendor	ellite
Product	wallos
Published	Mar 7, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for ellite wallos

Be the first to know when new unknown vulnerabilities affecting ellite wallos are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ellite / Wallos

< 4.6.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ellite/Wallos/security/advisories/GHSA-75hc-fc26-9797 github.com: https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d github.com: https://github.com/ellite/Wallos/releases/tag/v4.6.2